PRIVACY AND PERSONAL DATA PROTECTION POLICY

Last updated on May 1st, 2021

1. INTRODUCTION

1.1. Welcome to Mercado Bitcoin. Your privacy is essential issue for us. Whether you are a customer, employee, agent, service provider or visitor to our website (www.mercadobitcoin.com.br) and/or mobile application and/or third-party or own APIs (hereinafter referred to as “Platform”), be sure that Mercado Bitcoin is concerned with the protection of your personal data.

1.2. If you are interested in one of our products and want to use the Platform, please read this Privacy and Personal Data Protection Policy, the Terms of Use, the Compliance Policy and the Information Security Policy and please know that you will only be able to use our Platform and services if you agree with the respective conditions and, in doing so, you confirm you agree with the entire content of these documents. Likewise, if you are our employee, agent, service provider or if you have any other type of relationship with the Mercado Bitcoin, please know that you will only be able to start this relationship if you agree with this Privacy and Personal Data Protection Policy, so that if you maintain any relationship with the Mercado Bitcoin, you agree with the entire content of this document.

1.3. Individuals representing legal entities, when they are not themselves the legal representatives of the respective legal entities as per their current articles of incorporation/bylaws, may have the authorization to access the Platform subject to the submission of authorizations by the legal entities to which they are linked.

1.4. Mercado Bitcoin does not accept registrations of minors, under 18 years of age, except if over 16 years old and emancipated by parental consent or by court decision and in the other cases of art. 5, sole paragraph, of the Civil Code.

1.5. Mercado Bitcoin may establish specific rules applicable to a particular product, as the case may be, which will supplement and prevail over this Privacy and Personal Data Protection Policy and the Terms of Use. In any case, you must accept the applicable terms and conditions.

1.6. This Policy was developed in compliance with Laws No. 13,709/2018 (“Brazilian General Data Protection Law ”) and No. 12,965/2014 (“Brazilian Civil Rights Framework for the Internet”) in order to inform you (i) which personal data, how and the purpose for which they are processed; (ii) about your rights pursuant to law and the rules governing the protection of personal data and (iii) about our obligations, concerning our off-line and online interactions and all the activities and services provided. It does not, however, cover the practices of other organizations referenced through links on our Platform and for which we kindly ask that you observe the relevant third party's Privacy Policies and Terms of Use.

1.7. We have divided this Policy into subjects, which can all be accessed through separate links. Please read them all, but for your convenience, whenever you want to revisit a topic, you can click on the topic of interest, and you will then be directed to the respective page:

2. WHO IS MERCADO BITCOIN?

2.1. we are MERCADO BITCOIN SERVIÇOS DIGITAIS LTDA., a company enrolled with the Brazilian Corporate Taxpayers' Registry (CNPJ) under no. 18.213.434/0001-35, and headquartered at Alameda Mamoré, 687, suite 303, r. 03, Alphaville Industrial, Barueri/SP, ZIP 06454-040.

3. WHAT DATA DO WE PROCESS?

3.1. Personal data means all information related to the identified or identifiable natural person, such as name, identity document, address, contact information, etc

3.2. Your data may be collected by Mercado Bitcoin, when you:

a) browse our website, register with us and makes transactions on the Platform;

b) share fundamental information for the performance of the services and improvement of Mercado Bitcoin processes; and

c) get in touch with our service channels.

3.3. Other possible ways Mercado Bitcoin may obtain data, as the case may be, are through external partners and information providers, which help us to understand demographic data and socioeconomic profiles, adding on to the data collected by us; social networks, provided you have given permission to access data on one or more networks, and official public sources, such as public or private databases.

3.4. All data collection sources ensure the protection and confidentiality of your data in accordance with the practices described in this document, with the legislation and with other applicable rules.

3.5. The personal data that will be requested for you to be able to have full access to our services, as the case may be, are: in the case of an individual: Tax ID (CPF), date of birth and email. In the case of a legal entity, Mercado Bitcoin will establish the documents that will be requested.

3.6. Mercado Bitcoin will also ask you to send a scanned copy of a valid photo ID, in addition to a selfie, which is characterized as sensitive personal data essential for identification control in computer systems and, without which, Mercado Bitcoin is unable to render the services provided herein. These are the minimum information necessary for Mercado Bitcoin to be able to securely provide its services, that is, by properly identifying who you are.

3.7. Without the submission of these documents and information, the use of our channels, services and features may be restricted and may even be rendered unfeasible. Mercado Bitcoin may, as the case may be, request other necessary documents from you, in order to ensure full access to the Platform's services, such as income and residence certificates, necessary for upgrading to the Gold segment. In any case, the necessary documents are indicated at Page 4 of 14 https://www.mercadobitcoin.com.br/comissoes-prazos-limites. Please check this link when registering to use the Platform.

3.8. When you register with us, browse our Platform , and use our services, the following data and information may be collected, among others:

a) Contact details: telephone numbers and other related data, with the objective of ensuring greater security to the services and accuracy to the information you provide;

b) Credentials: we collect cryptographic hashes of passwords, secure words, security PIN and necessary security information that you choose for the authentication process, access to accounts and transactions, for the proper control of the access to your account;

c) Demographic data: gender, address, education, income;

d) Financial data: we collect data necessary for withdrawals in Reais (R$), such as bank, account number and branch, as well as information and history of operations carried out on the Platform for your control. We collect trading API keys and encrypted wallet address;

e) Usage data: in addition to data related to your transactions with Crypto, including your user profile, we store data related to your interaction with our communications channels, such as visit duration, navigation paths on the Platform, pageview behavior, access device characteristics, browser, Internet Protocol (IP) address with date and time, IP source, bandwidth and internet service provider (ISP), operating system, device manufacturer, carrier, model, Wi-Fi networks, phone number, device data, device identification (IMEI/MEID), mobile carrier and country of registration and settings;

f) Service data: your interaction on our service channels is also recorded, as well as other details of your contact, which may include content from chat conversations;

g) Relationship data: only when granted unequivocal permission, we may capture data concerning the contacts in your relationship network;

h) Location data: we can, through our Platform, collect location data originating from GPS (Global Navigation System), GNSS (Global Navigation Satellite System), from mobile communications towers, Wi-fi access points or location coming from your IP.

i) Investor Profile Data: we may collect data related to the assets in which you normally invest, for how long and how you would behave in case of abrupt losses of value;

j) Sports Preferences: We may collect data regarding your preference for specific teams (for example football).

3.9. Subscription to the services provided by Mercado Bitcoin presumes the permission to send electronic messages (such as, for example, emails , notifications and SMS) of security and administrative nature, in addition to advertising content, and such submission is essential for the performance and development of our activity. If you do not agree with this procedure, it will be necessary to request the cancellation of your account at Mercado Bitcoin.

4. WHAT DO WE USE THE COLLECTED DATA FOR?

4.1. The main purpose for which we collect your personal data is to comply with the contract with you and offer you the best experience, in a safe, efficient and customized manner. We also use the data collected to create, develop, analyze, communicate, operate, deliver and improve our products, processes and services, to deliver a personalized and sound experience. Without prejudice to the provisions of this item, we may use the data we collect to:

a) Allow transactions to be carried out with Cryptocurrencies made available and supported by Mercado Bitcoin, create purchase and sale orders and generate and allow access to your virtual wallet;

b) Improve our products, processes and services;

c) Customize content, make changes to our products and channels;

d) Provide new features, products and promotional strategies;

e) Offer new products and/or services to you, as well as personalized service and investment portfolio monitoring;

f) Carry out research and campaigns in order to continuously improve Mercado Bitcoin's user experience.

g) Solve problems and answer questions, ensuring the quality of our services and assistance.

h) Establish relevant and assertive communication, respecting your preferences for interaction, as well as for sending important notices, such as announcements, registering changes in software, features, conditions and policies, among others;

i) Improve our security even more, acting effectively in cases of suspicious activities and violations of terms or policies;

j) Analyze the performance, the trends and measure the Platform's audience, check your browsing habits on the Platform, how you arrived on the Platform (for example, through links from other sites, search engines or directly), evaluate statistics related to the number of accesses and use of the Platform, its resources and features;

k) Evaluate and monitor risks for the security of the Platform, improving and developing our security tools, including in compliance with our guidelines for the prevention of Money Laundering and Countering the Financing of Terrorism; and

l) Compliance with legal and regulatory obligations.

4.2. For the qualification, training purposes and for your safety, Mercado Bitcoin may monitor or record telephone conversations with you or with people acting on your behalf. By communicating with Mercado Bitcoin, you understand, agree and authorize that communications may be heard, monitored and/or recorded without prior notice or notification.

4.3. You agree and authorize Mercado Bitcoin to use, copy, reproduce, make available, transmit, process, share and translate into any languages any and all statements, representations, opinions, impressions, comments and suggestions that you decide to make public on our Platform, including social networks, with possible reference or not to your name and your profile picture on these social networks, without any consideration being due by Mercado Bitcoin.

4.4. In addition to the above provisions, Mercado Bitcoin, respecting your privacy, sends messages by electronic means, such as the notifications center on the Platform itself, emails and notifications to confirm Platform activities, for advertising purposes, and also uses technologies such as cookies, pixel tags, local storage or other identifiers, whether from mobile devices or not, for authentication of accounts, improvement of services, customization and for communications of general interest. The sending frequency may vary, depending on your interaction with these communications. At any time, you can request the interruption of these emails through our communication channels, which will be met by Mercado Bitcoin within 10 (ten) days as from your request, by accessing:

a) the Platform, in the menu "Settings / Preferences / Notifications".

b) our Promotional emails, by the respective unsubscribe link.

4.5. The data will be processed by Mercado Bitcoin during the period in which they are necessary or relevant to pursue the purposes set out in the Terms of Use and in this Privacy and Personal Data Protection Policy, except in the cases of preservation provided for in the applicable legislation, especially the Brazilian General Data Protection Law, the Brazilian Civil Rights Framework for the Internet, the Consumer Protection Code and the Civil Code.

5. WHAT ARE THE USERS' RIGHTS AND DUTIES?

5.1. Mercado Bitcoin ensures the rights that you have in accordance with the Brazilian General Data Protection Law, the Brazilian Civil Rights Framework for the Internet and the other Brazilian laws related to data protection, and which are:

a) Access to personal data: allows you to access your own personal data provided in your registration and to request additional information, if you wish;

b) Correction of personal data: allows you to request the correction and/or rectification of your personal data, at any time, in case you identify that any information is incomplete, inaccurate or outdated;

c) Block or deletion of unnecessary, excessive or processed personal data in non-compliance with the Brazilian General Data Protection Law: allows you to request us to cease with the processing of your personal data, and the action taken will be evaluated and met on a case-by-case basis, safeguarding the duty of storage for the legal term in accordance with the Brazilian Civil Rights Framework for the Internet, the Consumer Protection Code and the Civil Code , observing the limitation period for any judicial or administrative claims;

d) Right to portability of personal data: allows you to request Mercado Bitcoin to provide you, or third parties you choose, with your personal data in a structured and inter-operable format;

e) Right of deletion of processed personal data with the consent of the data subject: allows you to request the deletion of your personal data when the processing of this data is optional and has your consent as legal basis, except for the maintenance of data necessary for (i) the compliance with legal or regulatory obligations; (ii) a study by a research body, ensuring, whenever possible, the anonymization of personal data; (iii) compliance with a judicial or administrative decision that requires it; or (iv) because of the duty of storage for the legal term in accordance with the Brazilian Civil Rights Framework for the Internet, the Consumer Protection Code and the Civil Code, subject to the limitation period for any judicial or administrative claims.

f) Right to information about the sharing of personal data: allows you to request information about third parties with whom the Mercado Bitcoin shares your personal data; and

g) Right to revoke consent at any time and the right not to provide it and the consequences of such refusal: allows you to revoke your consent at any time, however, depending on the nature of the personal data, the revocation may imply the impossibility to use the Platform on a permanent basis. Revocation of consent will not have retroactive effects.

5.2. To exercise your rights, you can use the contact channels in our Platform, preferably, unless your agreement with Mercado Bitcoin provides otherwise.

5.3. If you are one of our customers, before meeting your request, Mercado Bitcoin will request additional information to confirm your identity, through one of our KYC - Know Your Client tools. In the event that Mercado Bitcoin is not the Controller of the requesting individual's personal data, Mercado Bitcoin will inform the former about its position as a Personal Data Processor and, if possible, indicate the Controller responsible for meeting such request.

5.4. In addition to rights, you also have some duties established in this Policy, some of which are regulated in the Terms of Use, others in specific agreements with you. If you do not observe them, especially the duties related to the security of your personal data, such as disclosure of your access information (login and password) to third parties, use of public access computers (e.g., lan houses ) or any other form of connection to the internet that is not private and secure, or, even, use of mobile devices with jailbreak or that have applications from unofficial stores, Mercado Bitcoin shall not be liable for acts or facts arising from the breach of any of these duties and/or in which you act with exclusive or concurrent negligence.

5.5. If you need any assistance to exercise your rights, please contact our Help Center, at https://suporte.mercadobitcoin.com.br/hc/pt-br/requests/new, or our Data Protection Officer at the email address [email protected].

6. USE OF COOKIES AND SIMILAR TECHNOLOGIES

6.1. The cookies, the Data Management Platform (“DMP”) tool and similar technologies support the process of customer identification, communication and other marketing actions, in addition to enabling the protection of the collected data. They store information in web browsers, used on computers, phones and other devices, which provide information about your usage of our Platform. They are useful in the processes of authentication, advertising, recommendations, audience measurements, channel resources and features, security analysis for improvement and development of anti-fraud tools.

6.2. Mercado Bitcoin uses its own essential cookies to control, monitor and track any vulnerabilities, risk of incidents and information security incidents, in order to act preventively and provide a safe environment for our customers. We also use thirdparty cookies for statistical analysis of browsing data, in order to evaluate our Platform and constantly improve our services and products, offering a more customized user experience.

6.3. If you do not agree with the use of cookies, you can cancel your account. If you have consented to our Terms of Use and our Privacy and Personal Data Protection Policy, and if you access our Platform and see the pop-up warning the Platform visitor about the use of cookies, please click on "continue", and it will not be necessary to provide any other consent for the use of cookies.

7. HOW LONG ARE PERSONAL DATA STORED FOR?

7.1. Mercado Bitcoin will store your personal data for the duration of the contractual relationship with you, except if legal or regulatory provisions establish otherwise and as required by the maximum statue of limitation provided for in the Brazilian Civil Rights Framework for the Internet, the Consumer Protection Code and the Civil Code. In the event of no contractual relationship, Mercado Bitcoin will store the information you have agreed to provide to us until further request for disposal of your data and in accordance with applicable law.

8. ARE THE COLLECTED DATA SHARED WITH THIRD PARTIES?

8.1. Mercado Bitcoin may share your personal data and other data mentioned in item 3.8 above with companies belonging to the same economic group as Mercado Bitcoin, including MeuBank Pagamentos Ltda. (enrolled at the Brazilian Corporate Taxpayers' Registry (CNPJ) under no. 11.351.086/0001-13), in order to process the purchase and sale of crypto transactions, offer specific features (such as viewing and/or accessing your Mercado Bitcoin account through the Meubank application, in case you are a Meubank customer), to develop and offer of products, services and registration for these companies. When sharing personal data with third parties is necessary to develop and offer products and services that best suit your interests, or the generation of statistical and aggregated data on the use of the Platform, Mercado Bitcoin will, as much as possible, apply anonymization to the data.

8.2. Mercado Bitcoin may also share your personal data in audit processes for corporate operations or with partners and service providers where necessary in order to perform our contract with you.

8.3. Mercado Bitcoin may collect information about you through identity verification entities and a data bureau to detect potential fraud, as well as credit bureaus, credit profiles and risks, for credit analysis, including, without limitation, Accuity, PH3A, Serasa Experian, Brazilian IRS, Advice, UpMiner and Google.

8.4. Mercado Bitcoin can share your personal data with its partners to provide its services, to perform the contract with you, for credit analysis and fraud prevention, as well as to implement its policies on Compliance and Know Your Client, Anti-Money Laundering and Countering the Financing of Terrorism.

8.5. Mercado Bitcoin may share your personal data with public authorities, in case of investigations or administrative or judicial requests in Brazil or abroad (in this case, giving the personal data the same level of protection as that under Brazilian legislation) or by order of a competent authority, such as regulatory agencies, government agencies, in accordance with the provisions of applicable legislation and rules.

8.6. Mercado Bitcoin will be able to carry out international transfers of personal data, by virtue of contracts with technology service providers located abroad, or by virtue of a request from personal data protection authorities or foreign government entities, all in accordance with the Brazilian General Data Protection Law.

9. HOW IS THE COLLECTED DATA PROCESSED?

9.1. Mercado Bitcoin has incorporated all the requirements from the Brazilian General Data Protection Law and other laws and regulations regarding data protection in the processing of your personal data, adopting the following premises:

a) Data minimization. In all the processing of personal data, whether hard or digital data, Mercado Bitcoin strives to only collect and process personal data that are minimally necessary and compatible with the purposes, as set out and informed to the data subjects (taking into account the principles of purpose, suitability and necessity).

b) Transparency.. Mercado Bitcoin ensures that any and all processing of personal data, including under the different forms of collection, use and storage, is fully known by the data subjects as to the type of data, purpose, as well as its preservation and storage period.

c) Confidentiality.. Mercado Bitcoin adopts organizational and technical measures aimed at the confidentiality of personal data under its care, managing and controlling access only to authorized persons, as well as adopting log tracking measures to anticipate and mitigate risks.

d) Prevention and security. Mercado Bitcoin performs regular risk assessment routines and updates technical information security measures to ensure adequate protection of personal data. In this sense, it also ensures, as much as possible, the anonymization or, at least, the pseudonymization of personal data subject to scientific research, statistical analysis and evaluation of any nature to meet the legitimate interests of Mercado Bitcoin, especially those that involve sharing with third parties.

e) Data quality and free access. Mercado Bitcoin ensures to data subjects easy and free access to their personal data, as well as that their data is clear, accurate and up to date.

f) Non-discrimination. Mercado Bitcoin ensures that all personal data processing is carried out lawfully, without any type of discrimination of any kind.

g) Relationship with third parties. In all its relations with third parties that involve the flow of personal data under the responsibility of Mercado Bitcoin, whether with partners or service providers, Mercado Bitcoin will ensure that the contracts establish clauses that provide instructions and regulate the duties and obligations of the third parties as to the protection of your personal data.

h) Liability and accountability. Mercado Bitcoin will continuously strive to adopt effective measures capable of proving the observance and compliance with the rules of protection of personal data.

9.2. All personal data is stored in a secure environment, in a cloud environment ( “ cloud ” ) and on hard servers of providers selected with the premise of respecting data protection legislation, and Mercado Bitcoin not only observes all the rules for transfer of personal data, but is also diligent in ensuring its technological service providers are in line with the company's guidelines for data protection and ensure the data subjects the same level of protection required by Brazilian legislation.

10. WHAT ARE THE SECURITY POLICIES IN PLACE?

10.1. Mercado Bitcoin adopts organizational measures, carrying out training and qualification of its staff, as well as technical measures aimed at information security, for the protection of personal data, against unauthorized disclosure, undue access, change and loss or leakage of data, whether accidental or unlawful. Mercado Bitcoin applies the best security practices in the processing of personal data, such as encryption, regular security monitoring and testing, firewall, among others. Despite all our efforts on information security, the unauthorized access to or use of restricted client areas due to a failure by the data subject (you), or even hardware or software failure and cyber-attacks can compromise the security of your personal data.

10.2. Mercado Bitcoin has mechanisms for access controls and log tracking, with different levels of access restriction to the collected data, ensuring its specific contracts - whether with staff, agents or service providers - have provisions establishing that any non-compliance with this rule involves fines and contract terminations.

10.3. Maintain a safe environment; adopt good practices in creating a password, do not share third party data, such as logins and passwords, use strong passwords, do not use your Mercado Bitcoin password on other websites or services, changing it regularly; enable 2-step verification. It is also important to always disconnect from our Platform after use, avoiding using it on public computers or access networks and keeping your operating system and antivirus up to date.

10.4. Mercado Bitcoin does not send emails or notifications requesting confirmation or personal data, passwords, credit card numbers, encrypted wallet address, etc.; this can be phishing, fraudulent practice that aims to trick you into sharing personal information, logins and passwords with ill-intended individuals. It also does not send electronic messages with attachments that can be executed (extensions: .exe, .com, among others) or links to any downloads. Never reply to any of these emails and please report them on our service channels.

10.5. If you are aware that any third party has had access to your login and password, please follow the procedure provided in our Terms of Use. In the event of a security incident that results in destruction, loss, change, unauthorized access or leakage of personal data, Mercado Bitcoin will communicate it to you, in reasonable time, and take the appropriate measures for the liability of those involved and for mitigation of damages, such as, for example, communication to authorities, blocking access to the respective account, and any other measures that the specific case requires.

11. OTHER INFORMATION

11.1. This Privacy and Personal Data Protection Policy is governed, interpreted and regulated by Brazilian law and must be read in addition to our Information Security Policy and Compliance Policy, as well as our Terms of Use and, where applicable, the respective contracts.

11.2. The São Paulo/SP District Court is hereby appointed in order to settle any disputes that might arise in relation to this Privacy and Personal Data Protection Policy.

11.3. The following instruments are integral and inseparable parts of this Privacy and Personal Data Protection Policy, and are considered incorporated herein by reference:

12. POLICY REVIEWS

12.1. Mercado Bitcoin undertakes to review this Privacy and Personal Data Protection Policy regularly in order to ensure its compliance with law, as well as to comply with the guidelines of the National Data Protection Authority (ANPD), and may, for this purpose, amend its terms at any time. Whenever there is a relevant amendment, such as a new purpose for the personal data already indicated, you will be notified through the contact information provided by you or by a notification through the Platform. In the notification we provide, you will have access to the new text of the Privacy and Protection of Personal Data Policy.

13. DPO CONTACT DETAILS AND INFORMATION

13.1. If you have any questions and/or need to address any matter related to this Privacy and Personal Data Protection Policy, please contact us at [email protected]. If you are our customer, please keep your contact details always up to date, so that we can contact you by email, preferably.

13.2. Our DPO (Data Protection Officer) is Joamir Ângelo Roncasaglia and his email is [email protected].

seta para cima topo